- A fake 3D printed resin fingerprint has beaten the Samsung Galaxy S10 fingerprint sensor.
- The hacker did it all under 15 minutes, while the snapping of the original fingerprint didn’t require anything special.
- Biometric authentication is not ready yet, at least not for your fingertips, and not on your smartphone.
The Samsung Galaxy S10’s fingerprint sensor is the best in-display sensor we have seen so far, sporting ultrasonic technology to lower the chance of “misses” and increase the level of the phone’s security. Impressive as this new tech may be, it isn’t absolutely secured against spoofed fingerprints, as the Imgur user, “darkshark” has highlighted today. To trick the phone into unlocking, the hacker had to present a 3D fingerprint, since the ultrasonic sensor “sees” into your finger’s tiny grooves and crevices. With these requirements, the only way to do it would be to 3D print a fingerprint, and that is precisely what he did.
The hacker took his own fingerprint from the side of a wine glass, by simply taking a close-up photo of it. While he used a “mere” smartphone to do that, he conveniently points out that if someone was to use a powerful DSLR, they could potentially capture someone else’s fingerprints from afar. The next steps included importing the image to Photoshop, increasing the contrast, and creating an alpha mask. This was followed by an export to 3ds Max, so as the raised 3D model could be generated.
The hacker used an AnyCubic Photon LCD resin printer at an accuracy setting of 10 microns, so admittedly, a pretty high-grade machine. After two failed attempts, the third one worked, and the video below shows it.
Each printing session took about 13 minutes to complete, so this isn’t a long and strenuous procedure at all. As Darkshark puts it: “If I steal someone’s phone, their fingerprints are already on it. I can do this entire process in less than 3 minutes and remotely start the 3d print so that it’s done by the time I get to it. Most banking apps only require fingerprint authentication so I could have all of your info and spend your money in less than 15 minutes if your phone is secured by fingerprint alone.”
This clearly signifies that our best ever fingerprint sensor isn’t good enough yet, so locking your device with biometrics alone shouldn’t be considered a safe practice just yet. Many have already grown the habit of using solely their finger to authenticate on banking and payment apps, due to the convenience that comes from it. Darkshark’s demonstration of how the Galaxy S10 can be easily (and quickly) fooled into unlocking is putting things back to their place, and the place of fingerprints should be an additional-complementary measure to the password.